Detects Codoso APT PlugX Malware

Hunt Hypothesis

The hypothesis is that the detection identifies potential PlugX malware activity associated with the Codoso APT, leveraging suspicious file artifacts indicative of malicious execution. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early-stage compromise and prevent lateral movement within the network.

YARA Rule

rule Codoso_PlugX_3
{

    meta:
        description = "Detects Codoso APT PlugX Malware"
        author = "Florian Roth"
        reference = "https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks"
        date = "2016-01-30"
        hash = "74e1e83ac69e45a3bee78ac2fac00f9e897f281ea75ed179737e9b6fe39971e3"

    strings:
        $s1 = "Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password." fullword wide
        $s2 = "mcs.exe" fullword ascii
        $s3 = "McAltLib.dll" fullword ascii
        $s4 = "WinRAR self-extracting archive" fullword wide

    condition:
        uint16(0) == 0x5a4d and filesize < 1200KB and all of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 4 string patterns in its detection logic.

References

• https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Job
  Description: A legitimate system maintenance job (e.g., schtasks.exe or task scheduler) runs a script that includes base64 encoded content, which triggers the PlugX YARA rule.
  Filter/Exclusion: Check for ProcessName containing schtasks.exe or taskhost.exe, or filter by CommandLine containing schtasks or scheduling.

• Scenario: Admin Using PowerShell for Remote Management
  Description: An administrator uses PowerShell (e.g., powershell.exe) to execute a script that includes encoded payloads, which matches the PlugX YARA signature.
  Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for CommandLine containing -Command or -File with known admin scripts.

• Scenario: Encoded Log File Parsing by SIEM Tool
  Description: A SIEM tool (e.g., Splunk, ELK) parses log files and encodes log data using base64, which coincidentally matches the PlugX YARA rule.
  Filter/Exclusion: Filter by ProcessName containing splunkd.exe, logstash, or kibana, or check for File paths related to SIEM tools.

• Scenario: Encrypted Backup Script Execution
  Description: A backup script (e.g., vssadmin.exe, wbadmin.exe) is encrypted using base64 encoding for transport, which triggers the PlugX YARA rule.
  Filter/Exclusion: Filter by ProcessName containing vssadmin.exe or wbadmin.exe, or check for File paths related to backup services.

• Scenario: Base64 Encoding in Development Tools
  Description: A developer uses a tool like `